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(54) Processing module with function selection 

(57) A data processing module comprises a processor 21 for storing a plurality of function algorithms F0\ F1 .... 
Fn and for executing a designated one of them; and a controller 22 for selecting one of the algorithms to be 
subsequently executed on the basis of all or part of a processing result Y. The selection may be deterministic or 
statistical and involve comparison of the result with extern ally-in put data. The processing result may be 
converted, 23, by masking to provide an output Y\ The module may be one of a series used in 
compressing/encrypting data blocks. 
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"DATA PROCESSING APPARATUS" 
The present invention relates to a data processing 
apparatus for compressing/encrypting message data by use 
of a plurality of function algorithms. The present 
5 invention also relates to a modularization technique for 
the data processing apparatus. 

In recent years, a data compression type encryption 
processing function (a hash function); which is applica- 
ble to the compression/encryption processing of message 
10 data, has attracted the attention of those skilled in 
the art. To put this function into practice, a method 
that utilizes, for example, the CBC (cipher block 
chaining) mode of the DES (data encryption standard) has 
been proposed . 

According to this method, message data subjected to 
data hashing is divided into data blocks of appropriate 
size (e.g., l bits) as follows: 
(Bi) (i = 1 to m) 

The encryption processing for the (k+i)th data 
block (k = 0 to m-l) is defined as follows: 
Cjc+x = FK(C k + B k+1 ) 

It is assumed that FK represents a block encryption 
processing function using an encryption key k (fixed). 
It is also assumed that where k = o, an initial vector 
25 i 0 is given to C 0 . In this case, the hash value is 
defined by the processing result C m obtained in the 
final stage of the processing. 
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However, the data compression/ encryption processing 
system utilizing the CBC mode has problems in that once 
the encryption key K is decoded, two different message 
data items having the same hash value may be easily 
produced . 

Let it be assumed that the data blocks of the two 
different message data items M and M 1 are expressed by: 
M = (Bi) 
M ' = {Bi') 

where i = 1 to m. If, in this case, the condition 
expressed by 

Cm-i + B m = C m _i' + Em- 
is satisfied, the hash values of M and M 1 become equal 
to each other though the message data items have been 
15 processed in different ways. 

in other words, "C m _i + B m « can be presumed based 
on hash value C m if the encryption key K is decoded. 
Hence, M ' , which has the same hash value as M, can be 
obtained by performing calculation, with a block group 
(Bi') (i = l to m-1) appropriately determined, and by 
determining the final block B m ' to satisfy the condition 
formula. This means that data collision may easily 
occur in the encryption processing method which is based 
on the hash function utilizing the CBC mode. 
25 An encryption LSI (large scale integration circuit) 

is known as a function processing module which is used 
to execute the function processing (e.g., encryption 
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processing) of data, for the data security purpose. in 
the prior art, the function processing module of this 
type supports only one function algorithm. Even if it 
supports a plurality of function algorithms, one of them 
is selected for use, in response to an external switch- 
ing control signal. Therefore, when a data processing 
apparatus of this type is fabricated as a module, it is 
necessary to ensure very reliable data security. 

As has been described, the use of the hash function 
utilizing, for example, the conventional CBC mode 
results in an increase in the possibility of the occur- 
rence of data collision. Therefore, a data processing 
apparatus adopting the hash function has to be so 
designed as to avoid the data collision, for ensuring 
data security, where the data processing apparatus of 
this type is fabricated as a module, consideration has 
to be given to ensure more reliable data security. 

The present invention has to be developed to solve 
the problems mentioned above, and the first object of 
the present invention is to provide a data processing 
apparatus which prevents data collision from occurring 
when data is subjected to compression/encryption 
processing, and which ensures reliable data security. 
The second object of the present invention is to provide 
a modularization technique which ensures the secrecy of 
data when the data processing apparatus of this type is 
fabricated as a module. 
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According to the present invention, there is pro- 
vided a data processing apparatus comprising: 

a block processing section (11) for dividing mes- 
sage data (B) into a plurality of blocks, so as to 
5 obtain a plurality of data blocks (Bi (i = 1 to m)); and 
a plurality of data conversion processing sections 
(12i) which are provided in correspondence to the data 
blocks (B ± ) and each of which stores a plurality of data 
conversion algorithms therein, a first one of the data 
10 conversion processing sections selecting one (At-!) of 

the data conversion algorithms in response to an initial 
selection control signal (S 0 ) and each of remaining ones 
of the data conversion processing sections selecting one 
( A i-1> of the data conversion algorithms in response to 
15 a selection control signal (Sj-i) supplied from a pre- 
ceding data conversion processing section (Bi_i), each 
of the data conversion processing sections (12jJ per- 
; forming data conversion processing with respect to the 
corresponding data block (Bi) on the basis of the 
20 selected data conversion algorithm and generating a 

selection control signal used for processing a next data 
block (B i+ i) on the basis of the data conversion 
processing. 

This invention can be more fully understood from 
. 25 the following detailed description when taken in con- 
junction with the accompanying drawings, in which: 

Fig. 1 is a block circuit diagram showing a data 
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processing apparatus according to the first embodiment 
of the present invention; 

Pig. 2 is a block circuit diagram showing the con- 
figuration of a compression/encryption circuit employed 
in the first embodiments- 
Fig. 3 is a block circuit diagram showing the con- 
figuration of a convolutional encoder which realizes the 
encryption algorithm determination method used in the 
first embodiment; 

Fig. 4 is a trellis diagram corresponding to the 
operation of the convolutional encoder shown in Fig. 3; 

Fig. 5 is a block circuit diagram showing a data 
processing apparatus according to the second embodiment 
of the present invention, the data processing apparatus 
being obtained by simplifying that of the first 
embodiment; and 

Fig. 6 is a block circuit diagram showing the con- 
figuration of a general-purpose data processing module 
according to the third embodiment, the data processing 
module being applicable not only to the data processing 
performed by the apparatuses shown in Figs, i and 5 but 
also to data processing of other kinds. 

The first embodiment of the present invention will 
now be described with reference to the accompanying 
drawings. The embodiment will be described, referring 
to the case where message data is subjected to 
compression/encryption processing by use of a hash 
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function utilizing an improved and generalized CBC mode. 

Fig. 1 shows the data processing apparatus employed 
in the embodiment. Referring to Fig. 1, a block proc- 
essing section 11 divides input message data B into a 
5 plurality of blocks, and the resultant data blocks Bi 

(i - 1, 2 k+1, k+2 m) are output in parallel 

at appropriate time intervals. Each data block B t is 
supplied to the corresponding one of encryption process- 
ing circuits 12i. 
10 The encryption processing circuits 12 ± are of the 

same configuration, and an initial parameter I 0 (which 
can be used as a key) is determined for the first one 
12 X of encryption processing circuits 12^ Each of the 
remaining encryption processing circuits 12j. receives 
15 data block Bi, and encrypts it on the basis of the proc- 
essing result Ci _i* (when i=l, C 0 # -I 0 ) of the preceding 
processing circuit. The result of processing of the 
- final processing circuit 12 m is the compressed and encr- 
ypted data of message data B. 

Fig. 2 shows the circuit configurations of the 
(k+l)th and (k+2)th ones of the encryption processing 
circuits 12i mentioned above. Referring to Fig. 2, the 
(k+l)th data block is supplied to an adder lfc+i- By 
this adder, the kth processing result C k # (when k=0, 
C 0 *=Io> ^ added to the data block B k+1 . The result of 
this addition is supplied to an encryption processor 
2 k+1 . The encryption processor 2 k+1 selects one of 
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pre-stored N encryption function algorithms (hereinafter 
referred to as "encryption algorithms" or simply as 
"algorithms") a 0 to A^-i , in response to a selection 
signal s k supplied from a kth algorithm selection 
controller, and encrypts the addition result of the 
adder l k+1 by use of the selected algorithm. 

The processing result C k+1 of the encryption proc- 
essor 2 k+1 is supplied to both a mask processor 3 k+1 and 
a mask controller 4 k+1 . 

Upon reception of the processing result . Ck +1 , the 
mask controller 4 k+1 identifies the history of the 
encryption algorithm executed by the encryption 
processor 2 k+1 and stores the data obtained by the 
identification. Then, the mask controller 4 k+1 deter- 
mines a control value ( b k , b k+1 ) dependent on the 

entirety or part of the encryption algorithm, and sup- 
plies the determined control value to the mask processor 
3 k+i- 

Since the history of the encryption algorithm exe- 
cuted by the encryption processor 2 k+1 can be stored as 
data in the encryption processor 2 k+1 , the mask control - 
ler 4 k+1 may be supplied with the history data directly 
from the encryption processor 2 k+1 . 

The mask processor 3 k+1 performs mask processing 
with respect to the processing result C k+1 of the enc- 
ryption processor 2 k+1 , such that the processing result 
C^+i cannot be read or presumed afterwards. To be more 
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specific, the entirety or part of the processing result 
Ck+1 i s replaced with other values on the basis of the 

control value ( b k , b k+ i) supplied from the mask 

controller 4 k+1 . The result C k+1 * of the mask process- 
5 ing is supplied to the (k+2)th adder lk+2- 

The processing result Ck+i of the encryption proc- 
essor 2k+i is also supplied to an algorithm selection 
controller 5 k+ i- By this controller 5 k+1 , an encryption 
algorithm to be executed by a (k+2)th encryption proces- 
10 sor 2 k+2 is determined, using a statistical method which 
is dependent on both the encryption algorithm A k 
executed by the encryption processor 2 k+1 and the val- 
ues of the entirety or part of the processing result 
Ck +1 obtained by the execution of the encryption algo- 
15 rithm A k . A selection signal S k+1 representing the 
determined encryption algorithm is supplied to the 
(k+2)th encryption processor 2 k+2 . 

Just like the (k+l)th encryption processing 
circuit, the (k+2)th encryption processing circuit for 
20 performing encryption of data block B k+2 is made up of 
an adder l k+ 2' an encryption processor 2 k+2 , a mask 
processor 3 k+2 , a mask controller 4 k+2 , and an algorithm 
selection controller 5 k+2 . The operations of these 
structural components are similar to those of the struc- 
25 tural components of the (k+l)th encryption processing 
circuit . 

The configuration and operation of each of the 
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other encryption processing circuits (namely, the first 
through ith processing circuits and (k+3)th through m-th 
processing circuits) are similar to those mentioned 
above. Therefore, the configurations of the other enc- 
ryption processing circuits are not shown in the 
drawings, and reference to the operations of them will 
be omitted herein. It should be noted that since each 
encryption processing circuit processes the data output 
from its preceding encryption processing circuit, the 
block processing section 11 has to supply data blocks B ± 
to the respective encryption processing circuits with 
appropriate time delays. 

The reasons why data collision can be prevented in 
the above-mentioned data processing apparatus will now 
15 be explained. 

The compression/encryption procedures of message 
data are defined by the following formulas: 

C k+1 = A k (C k # + B k+1 ) ... (1) 

Ak+l = g(A k , [C k+1 ] n ) ... (2) 

Ck+1 # - C k+ i + [b k _ r+2 ... b k b k+1 ] ... (3) 

where 0 £ k £ (m-l ) . 

Assuming that 1 £ i £ (n+a) and r(n+a)=L, the 
following formulas are obtained: 
t b k-r+2 • • • b k b k+1 ] 

= [bk- r+2 (n ... b k( i) bk+1 (i)] ... (4) 

b k+l (i > = P(5k+l .: A k -> A k+1 ) ... (5) 

When k=0 in these formulas, A 0 denotes 
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an arbitrarily-designated initial algorithm, and C 0 # 
denotes an appropriate initial vector (initial 

parameter) Io- 

What is meant by each of the above formulas (l)-(5) 

5 will be explained. 

Where Afc denotes the encryption algorithm executed 
by the (k+l)th encryption processing circuit, encrypted 
data Cfc+i is derived from the processing result Ck# of 
the kth encryption processing circuit and the present 
10 data block Bfc+i by use of the encryption algorithm Afc. 
(formula (1) ) 

Then, an encryption algorithm Afc +1 to be executed 
in the next encryption processing circuit (i.e., the 
(k+2)th processing circuit) is determined based on both 
15 n bits [Ck +1 ] n included in the encrypted data Cfc+i 

(e.g., lower n bits of the encrypted data) and the enc- 
ryption algorithm Afc presently executed. (formula (2)) 

The encryption algorithm Ak +1 to be executed in the 
next encryption processing circuit can be determined in 
20 various methods. One of the methods is a method wherein 
the n bits of the encrypted data C^+i and the present 
encryption algorithm Afc are used such that the temporal 
changes in the encryption algorithm form a finite-state 
discrete-time Markovian process. 
25 To realize this method, the use of a trellis dia- 

gram of the convolutional codes of an encoding rate of 
n/(n+a) is effective. The trellis diagram is one of the 
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representations of convolutional codes and is a kind of 
state transition diagram. The trellis diagram is 
featured in that all states are shown in relation to 
time. 

Pig. 3 is a block circuit diagram showing the con- 
figuration of a general convolutional encoder, and Pig. 
4 is a trellis diagram corresponding to the operation of 
the convolutional encoder. In the convolutional encoder 
shown in Figs. 3 and 4, an encoded output of 2 bits is 
produced in response to an information input of l bit, 
so that the encoding rate is 1/2. 

Referring to Fig. 3, a 1-bit information input is ' 
sequentially shifted by 1-bit shift registers SRj. and 
SR 2 . The 1-bit information input is added to the output 
of shift register SR 2 by an adder AD X , to thereby obtain 
a signal yi . Also, the l-bit information input is added 
to the output of shift register SR 2 by an adder AD 2 , and 
the resultant signal is added to the output of register 
SR X by an adder AD 3 , to thereby obtain a signal y 2 . 
Signals y 2 and y 2 are alternately output by means of a 
switch SW. 

In Fig. 4, the states of registers SR X and SR 2 are 
shown in the vertical direction, and time k is shown in 
the horizontal direction. When information bit "1" is 
input in the state where k=0 and the contents of regis- 
ters SR X and SR 2 are (00), the contents of registers SRi 
and SR 2 become (01) when k=l. This state transition is 
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indicated by the broken lines. 

In Fig. 4, an encoder output (11) is assigned to 
line segments corresponding to the state transitions. 
The line segments are generally referred to as 
5 "branches", and the encoder output (11) is often 
referred to as "branch codes". 

When information bit "0" is input., the contents of 
registers SRi and SR 2 become (00). This state transi- 
tion is indicated by the solid lines. The related 
10 encoder outputs <00> are assigned to the corresponding 
transition branches. 

In the trellis diagram representation, a series of 
branches are referred to as a "path", and each of the 
paths extending from the left side to the right side of 
15 the trellis diagram corresponds to a code. 

The convolutional codes mentioned above and the 
trellis diagram thereof are described in detail in A.J. 
, viterbi, Convolutional Codes and Their Performa nce in 
Communication Systems , IEEE Trans. Commun. Technol, 
20 vol. COM-19, NO. 5, pp. 751-772, 1971. 

When state Afc in the trellis diagram subsequently 
changes to new state A k+1 in response to input of n bits 
(information bits), a new branch code represented by 

b k+l (i) (1 * i * n+Q ) 
25 is produced, (formula (5)) By use of the past history 
of the branch codes including this new branch code 
(formula (4)), the entirety (or part) of the values of 
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the history is replaced with other values dependent on 
the entirety (or part) of the history of the algorithms, 
thereby concealing the value of c k+1 . The result 
obtained thereby is expressed as c k+1 # (formula (3,,. 

A description will be given of the conditions under 
which data collision occurs. m view of the 
definitions, it is understood that data collision occurs 
when the hash values C ra # and W )» of two different 
message data items M and M' coincide with each other, 
in the following, therefore, a description will be given 
of the condition under which the hash values coincide 
with each other. 

The hash values C m # and W )• of the different 
message data items M and M 1 are represented by: 
c m # = C m + [b m _ r+1 b m _ r+2 ... b^] 
<C m ')* = c m - + [bn,.^. b m _ r+2 . ... bm , ] 
Hence, the two hash values become equal to each 
other when the following two. conditions are satisfied: 
c m = C m ' 

Ibm-r+i b m _ r+2 ... bm] = [bm . r+1 . brn . r+2 . ... ^.j 
With the latter relationships in mind, the follow- 
ing conditions are initially determined: 
A m-r - A m _ r « 

C m _ r # + Bm _ r+1 = (C m . r ')# + B m _ r+1 . ... (6) 

in this case, the following formula is obtained 
because of the assumption: 



BNSDOCID: <GB 2294140A l_> 



- 14 - 



Cm-r+l - Am-r (Cm-r* + B m-r+l) 

= A m _ r ' {(Cm-r')* + B m . r+ i'} 

Hence, the following formula is satisfied: 

5 [Cm-r+lln = [Cm-r+l' In 

Accordingly, the following two formulas are 

derived : 

Am-r+l ~ A m _ r+ i' 

bm-r+l = bm-r+l' 
10 Next, let it be assumed that the condition repre- 

sented below is satisfied: 

C m _r+1 # + B m . r+2 - (Cm-r+l' )* + B m - r +2' (?) 
in this case, the following formula is obtained: 

Cm-r+2 ■ A m-r+l (Cm-r+l # + B m-r+2> 
15 - Am-r+l' C (Cm-r+l ')# + B m _ r+2 ' ) 

= Cm-r+2* 

Hence, the following formula is satisfied: 
[Cm-r+2)n = [C m -r+2']n 

Accordingly, the following two formulas are 
20 derived: 

Am-r+2 = A m-r+2' 
Bm-r+2 ■ b m-r+2* 

After similar procedures are repeated, the condi- 
tion represented below is assumed: 

C m -l # + B m = (C m -i') # + B m ' ••• ( 8 > 

In this case, the following formula is obtained: 



25 
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On - Am.! (Cm-i* + B m ) 

= Am-l' {(C m _!' )* + B m ' } 
= c m' 

Hence, the following formula is satisfied: 
[C m ] n = [C m '] n 

Accordingly, the following two formulas are 
derived : 

Am = A m ' 
bm = bn,' 

At the time, the condition represented by the fol- 
lowing formula is confirmed: 

tbrn-r+1 b m-r+2 b m ] = [b m _ r+1 - b m _ r+2 » ... b m «) 

Hence, the following formulas are satisfied: 
c m # - C m + [b m _ r+1 b m _ r+2 . . . bm] 
15 (C m V)* = Cm' + [bm_ r+1 - b m - r+2 ' ... bm'] 

From these formulas, the following is obtained: 
Cm* = (C m ') # 

In view of the above, it is understood that the 
conditions under which data collision occurs are repre- 
sented by the following four conditions: 

A m-r = Am-r' ... (11) 

C m -r* + Bm- r+ i = (Cm- r ')# + B m _ r+1 ' ... (12) 

Cm-r+1* + Bm- r+ 2 = (C m -r+l') # + Bm_ r+ 2' ... (13) 
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Cm-1* + B m = (C m -i') # + B m ' ... (lr) 

The condition for satisfying formula (li) will be 
considered. Since an algorithm changes in accordance 
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with the trellis structure of a limited length (v 0 =nv), 
the condition for satisfying formula (11) is the time 
when the following three formulas (21)-(2v) are satis- 
fied simultaneously: 

[C m _ r _v+i3n = [Cm-r-v+l'ln ••• < 21) 

[C m _ r _v+2]n - [C m -r-v+2'3n ■•• < 22) 

P • • • 

[Cm-rln = [C m -r'3n ••• < 2v) 

Specifically: 

[A m _ r _ v (C m _ r _v # + B m _ r -v+l)]n 

= [Am-r-v' ((Cm-r-v 1 )* + B m _ r _ v+ i')]n ••• < 31 > 
[A m _ r _ v+ i (C m _ r -v+l # + B m _ r _ v+ 2)]n 

= [A m _ r _v+i' ((Cm-r-v+l' >* + Bm-r-v+2')3n 

... (32) 

[A m _ r _! (C m _ r _i # + B m _ r )] n 

- tAm-r-l' ((Cm-r-l')* + B m _ r ')] n (3v) 

Assuming that the values up to the values of 
Am-r-v' and (C m _ r _ v ') # are known values, a description 
will be given as to how the values of B m _ r _ v +i' "to B m _ r ' 
that are factors of M 1 are determined. 

First, the value of B m _ r _ v+ i' is determined in such 
a manner as to satisfy formula (31). (It should be 
noted that the value of B m _ r _ v+ i' cannot be determined 
without reference to the other values.) When the value 
of B m _ r _ v+ i' is determined, values are determined in the 
order of C m _ r _ v +i ' - A m _ r _v+i' - (C m - r -v+l ' > # > in 
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accordance with the following formula: 

C m-r-v + i' = A m-r-v' << C m-rV> # + B m-r-v + l ') 
A m-r-v+l' =g(A m _ r _ v ' / [C m _ r _ v+1 • ] n ) 

(C m - r -v+i') # = C m _ r _ v+1 ' + [ bm-r-v+l'] 

5 The portion « included in the 

t bm-r-v+l 1 ] is specifically 

f bm-r-v+l 'bm-r-v* ] a ^d is a value determined 

dependent on the past history of the algorithm »...-» 
A m-r-v-i ~* A m _ r _ v '". Since the value represented by 

10 (C m _ r _ v -)# = C m _ r _ v « + [. bta-r-v-i' b m _ r _ v -] 

is a known value because of assumption, the value of the 

P ° rtion " " deluded in the [ bta- r . v+1 .] can 

be regarded as being determinate. Therefore, if it is 
assumed that the values up to the value of (C m _ r _ v ')# 
are known, the value of (C m _ r _ v+1 • ) # can be regarded as 
being determined based only on B m _ r _ v+1 «. 
After similar procedures are repeated, the value of 
B m-r' is determined in such a manner as to satisfy for- 
mula (3v). as a result, values are determined in the 
order of c m _ r ' - A m _ r ' -* (cm-r')*- 

It should be noted that the value of (C m _ r ')# is 
dependent on the value of B m _ r _ v+1 - determined at the 
beginning. 

When the values up to the value of (C m _ r ')# have 
25 been determined, consideration can be made in relation 
to formulas (11) to (lr) indicated above. That is, if 
it is assumed that the values up to the values of 
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Am-r-v' and (Cm-r-y' ) # a *e known, the formulas below are 
satisfied and data collision occurs: 
[Am-r-v (C m -r-v # + B m _ r _ v +l)]n 
= [Am-r-v 1 ((Cm-r-v*)* + B m _ r _ v+1 • } ] n ( 41 ) 
5 [Am-r-v+1 (C m -r-v+l # + B m _ r _ v +2)]n 

= [A m _ r _ v+ i' {(Cm-r-v+l* ) # + Bm-r-v+zMln 

... (42) 

• • • 

[Am-r-l (Qn-r-1* + B m-r)]n 
10 = [A m _ r _i' C(C m - r -l') # + B m _ r ')] n ( 4V > 

C m - r # + B m - r +l ■ (C m -r') # + B m _ r+1 ' ... (51) 

C m - r+ l # + B m _ r+2 = (C m -r + l') # + B ro - r - + 2 , (52) 

• • • 

C m -i* + B m = (Cm-!')* + B m ' <5r) 
15 The satisfaction of these formulas is one of the 

sufficient conditions under which data collision occurs. 
In comparison with the CBC mode of data encryption, the 
* above-noted condition under which data collision occurs 
is very strict. The number of the formulas representing 
20 the condition is (v+r), and it should be noted that the 
condition is expressed by not only the parameter v which 
controls the number of encryption algorithms but also 
the parameter r which is dependent on the history length 
of the encryption algorithm related to the concealment 
25 of encrypted data. In other words, the advantages of 
the above-noted condition is more than the advantages 
obtained by merely using a number of encryption 
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algorithms . 

As can be seen from the above detailed 
descriptions, the present invention is featured in two 
points. First, a plurality of encryption algorithms 
selectively used by the encryption processing circuits 
are not switched from one to another in response to a 
deterministic control signal; they are switched from one 
to another in a statistic method dependent on the result 
of the preceding encryption processing circuit. Second, 
the value obtained by the present-time encryption 
processing is concealed by use of a value or values 
dependent on the entirety or part of the past history of 
encryption algorithms before it is supplied to the next 
encryption processing circuit, to thereby leave no data 
suggestive of the control under which an encryption 
algorithm is changed. 

Because of these features, it is practically impos- 
sible for a third party to know a series of encryption 
algorithms actually used in the hashing processing. in 
addition, since encrypted data is concealed by use of a 
value or values dependent on the entirety or part of the 
past history of the encryption algorithms, it is very 
difficult to prepare message data whose hash value. coin- 
cides with that of the message data encrypted by the 
25 present invention. 

In the embodiment mentioned above, the encryption 
processing circuit can be grouped into blocks such that 
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each block is made by one encryption processing module. 
If, in this case, each encryption processing module is 
designed such that it executes both the determination of 
a new encryption algorithm to be used in the next module 
and the concealment of the data encrypted by the 
present-used encryption algorithm, the apparatus incor- 
porating such modules can ensure very reliable data 
security. 

Since the encryption processing circuits are the 
same in configuration, the adder 1, encryption processor 
2, mask processor 3, mask controller 4, and algorithm 
selection controller 5 of one processing circuit may be 
fabricated as one module, and this module may be repeat- 
edly used for data blocks B ± to B m , as shown in Fig. 5. 
If this is done, the entire apparatus can be considera- 
bly simplified. 

in the case shown in Fig. 5, the block processing 
section 11 divides message data B into data blocks B L to 
B m and supplies the data blocks B x to B m to the adder 1 
on the time divisional basis. The processing result C ± * 
of the mask processor 3 is fed back to the adder 1, and 
a selection signal S produced by the algorithm selection 
controller 5 is supplied to the encryption processor 2, 
so as to determine the encryption algorithm to be used 

subsequently. 

Further, an output controller 6 is provided. When 
the mask processor 3 produces the processing output C m * 
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corresponding to the last data block a*, the output con- 
troller 6 outputs the processing output C m # as a com- 
pressed and encrypted processing result. With this data 
processing, the apparatus can be very simple in configu- 
ration and yet the same operation similar as that of the 
case shown in Pig. i can be realized. 

The technique for processing data by selectively 
using a plurality of function algorithms is not limited 
to the encryption processing described above; it is 
applicable to various kinds of data conversion. Fig. 6 
shows an example of a general-purpose data processing 
module which can be applied not only to the data proc- 
essing apparatuses shown in Pig. i and 5 but also to 
other types of data processors. 

Referring to Fig. 6, a function processor 21 stores 
N function algorithms F 0 to F N -l . The function algo- 
rithm executed by the function processor 21 is deter- 
mined in response to a selection signal supplied from an 
algorithm selection controller 22. when function algo- 
rithm Fk is selected, the function processor 21 carries 
out calculation F k (X)=v with respect to input data x. 

The function algorithm selection controller 22 
receives the result of the calculation F k( x,=Y performed 
by the function processor 21. On the basis of the 
entirety or part of the received result, the function 
algorithm selection controller 22 determines function 
algorithm F k+1 to be subsequently executed by the 
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function processor 21, and supplies a selection signal S 
to the function processor 21 . 

As described above, the function algorithm can be 
changed from to F k+ i in a variety of methods, and one 
of such methods is a statistic method wherein the tempo- 
ral changes in the encryption algorithm are regarded as 
forming a finite-state discrete-time Markovian process. 
Needless to say, the function algorithm may be changed 
deterministically on the basis of calculation result Y . 

According to the above configuration, the function 
algorithm to be used next is determined on the basis of 
the result of calculation performed by the function 
processor 21, and this determination process is carried 
out within the module. Therefore, a third party cannot 
understand which algorithm is being executed at each 
stage of the processing. 

As indicated by the dotted lines in Fig. 6, the 
function algorithm may be changed in response to 
externally-input data X'. In this case, the algorithm 
selection controller 22 compares the calculation result 
F)c(X) of the function processor 21 with the externally- 
input data X', and determines the next function algo- 
rithm Ffc +1 on the basis of the comparison. The function 
algorithm can be changed deterministically or statisti- 
cally in this modification as well. 

When putting the above modification into practice, 
the following control may be available. That is, when 



the comparison shows that F k (X) is equal to X', the pre- 
sent algorithm P k is maintained unchanged, and when the 
comparison shows that F k (X) differs from X', the present 
algorithm Ffc is changed to another algorithm Ffc+i- 

According to the above configuration, the function 
algorithm is not designated directly by the externally- 
input data x*. Therefore, a third party cannot know the 
processing performed inside the apparatus even when the 
function algorithm is externally selected or controlled. 

In the embodiment shown in Fig. 6, the result of 
the calculation Fk(X)=Y performed by the function 
processor 21 is not output as it is. in other words, it 
is masked in an output converter 2 3 by replacing it with 
other values, before it is output. Therefore, further 
reliable data security is ensured. 

In the present invention, various data masking 
methods are available. in the case where the temporal 
changes in the algorithm form a finite-state discrete- 
time Markovian process, a method which uses a value Bj 
(J £ k) dependent on the history of the algorithms exe- 
cuted so far is applicable. That is, value Y is changed 
by use of the value Bj as follows: Y»=Y+B-j (j £ k). 

In the embodiment shown in Fig. 6, a mask control- 
ler 24 identifies the history of the past algorithms on 
the basis of the calculation result Y of the function 
processor 21, and calculates a value B-j dependent on the 
history. With this value -j supplied to the output 
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converter 23, the masking processing mentioned above is 
performed. 

Needless to say, the output conversion need not be 
performed by the mask controller 24. It may be carried 
out on the basis of fixed data stored in the output con- 
verter 23. In addition, if the function processor 21 is 
made to store data on the history of the function 
algorithm, the mask controller 24 may receive the his- 
tory data directly from the function processor 21, as 
indicated by the dotted lines in Fig. 6. 

The above embodiment was described, referring to 
the case where the function algorithms stored in the 
function processor 21 are independent of one another. 
However, this in no way limits the present invention. 
For example, one function algorithm may be a combination 
of one fundamental algorithm portion F and a plurality 
of sub algorithm portions Gq to G N _i, and the entire 
algorithm may be changed by controlling only the sub 
algorithm portions G 0 to G N _i- If this is performed, 
the function processor 21 need not have a large storage 
capacity to store the function algorithm, so that a 
reduction in the circuit scale can be attained easily, 
as in the case where the module is fabricated as a large 
scale integrated circuit. 

In the above embodiment, the function processor 21 
has only one input terminal. However, the present 
invention is not limited to this. As is indicated by 
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the broken line in Fig. 6, an output of the output con- 
verter 23 may be fed back to the function processor 21. 

The entire module need not be fabricated as a large 
scale integrated circuit. in other words, the function 
processor 21 may be divided into an algorithm storage 
section and an arithmetic processing section. In this 
case, an algorithm is read out from the algorithm stor- 
age section in response to a selection control signal 
supplied from the algorithm selection controller 22, and 
the readout algorithm is supplied to the arithmetic 
processing section. If the algorithm storage section 
designed such that the algorithms therein can be varied 
or a new algorithm can be to added thereto, then data 
security can be made further reliable, and the range of 
application of the embodiment can be widened. 

Where the data processing module mentioned above is 
applied to the data processing apparatus shown in Fig. 
5, the function processor 21 can be used as encryption 
processor 2; the algorithm selection controller 22, as 
algorithm selection controller 5; the output converter 
23, as mask processor 3; and the mask controller 24, as 
mask controller 4. The data processing module is also 
applicable to the data processing apparatus shown in 
Fig. l in a similar manner. 

The present invention is not limited to the embodi- 
ments described above. For example, the function algo- 
rithms are not limited to encryption algorithms 
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mentioned above; they may be algorithms which are used 
for other kinds of data conversion. When the present 
invention is reduced to practice, it can be modified in 
various manners without departing from the spirit of the 
invention. 
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CLAIMS : 

1 - A data processing module comprising: 

a function processor for storing a plurality of 
function algorithms therein and for executing a designated 
one of the function algorithms to perform function operation 
processing; and 

an algorithm selection controller for designating a 
function algorithm to be subseguently executed on the basis 
of a processing result obtained by the function processor. 

2 - A data processing module according to claim 1, 

wherein said algorithm selection controller controls a 
change in the function algorithms of the function processor 
by using a statistic method which is based on the entirety 
or part of the processing result (Y) obtained from a 
presently-executed function algorithm. 

3. A data processing module according to claim 1, 

wherein said algorithm selection controller controls a 
change in the function algorithms of the function processor 
by using a deterministic method which is based on the 
entirety or part of the processing result obtained from a 
presently-executed function algorithm. 

4 - A data processing module according to claim 1, 

wherein said algorithm selection controller performs 
comparison between the processing result obtained by the 
function processor and externally-input data, and designates 
a subsequently-executed function algorithm on the basis of 
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the comparison. 

5 . a data processing module according to claim 4, 

wherein said algorithm selection controller controls a 
change in the function algorithms of the function processor 
by using a statistic method which is based on the comparison 
between the processing result obtained from the presently- 
executed function algorithm and the externally- input data. 

6 . A data processing module according to claim 4, 
wherein said algorithm selection controller controls a 
change in the function algorithms of the function processor 
by using a deterministic method which is based on the 
comparison between the processing result obtained from the 
presently-executed function algorithm and the externally- 
input data. 

7. A data processing module according to claim 1, 
further comprising an output converter for outputting the 
processing result obtained by the function processor after 
replacing the processing result with another value. 

8 . A data processing module according to claim 7, 
further comprising an output conversion controller for 
controlling conversion performed by the output converter by 
using a value which is based on the entirety or part of a 
history of the function algorithms executed by the function 
processor . 

9. a data processing module according to claim 7, 
wherein said output converter performs output conversion on 
the basis of fixed data stored therein. 
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10. A data processing module according to claim 1, 
wherein each of said function algorithms stored in the 
function processor is a combination of one fundamental 
algorithm portion and a plurality of sub algorithm portions. 

11. A data processing apparatus , substantially as 
hereinbefore described with reference to the accompanying 
drawings. 
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